b"NATIONAL CREDIT UNION ADMINISTRATION\n    OFFICE OF INSPECTOR GENERAL\n\n\n\n              INDEPENDENT EVALUATION OF THE\n           NATIONAL CREDIT UNION ADMINISTRATION\n              INFORMATION SECURITY PROGRAM\n                           2008\n\n\n         Report #OIG-08-08                September 24, 2008\n\n\n\n\n                              William A. DeSarno\n                               Inspector General\n\n\n    Released by:                            Auditor-in-Charge:\n\n\n\n\n    James Hagen                            W. Marvin Stith, CISA\n    Asst IG for Audits                     Sr Information Technology Auditor\n\n\n\n\n                         LIMITED OFFICIAL USE ONLY\n\x0c                  INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                                INFORMATION SECURITY PROGRAM - 2008\n                                          Report #OIG-08-08\n\n                                             CONTENTS\n\nSection                                                                                Page\n\n   I      EXECUTIVE SUMMARY                                                                    1\n\n  II      BACKGROUND                                                                           2\n\n  III     OBJECTIVE                                                                            3\n\n  IV      METHODOLOGY AND SCOPE                                                                3\n\n  V       RESULTS IN DETAIL                                                                    5\n\n               NCUA has not adequately established segregation of duty                        5\n               controls for its applications.\n\n               NCUA needs to improve its System Software Change                               7\n               Procedures.\n\n               NCUA needs to improve its vulnerability management                             8\n               procedures.\n\n               NCUA has not completed E-Authentication risk                                   9\n               assessments for its systems.\n\n               NCUA has not completed security controls testing for one of                    10\n               its FISMA systems.\n\n               NCUA does not have a formal agency-wide security                               10\n               configuration guide.\n\n               NCUA has not updated its employee enter/exit/change                            11\n               procedures.\n\n               NCUA lacks a comprehensive contingency planning                                12\n               program for its FISMA systems.\n\n               NCUA has not implemented continuing education                                  13\n               requirements for its Information Technology employees.\n\n               NCUA needs to improve its Plans of Action and Milestones                       14\n               (POA&M) process.\n\n\n\n\n                                   LIMITED OFFICIAL USE ONLY\n\x0c             INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                           INFORMATION SECURITY PROGRAM - 2008\n\n                               I. EXECUTIVE SUMMARY\n\nThe Office of Inspector General (OIG) for the National Credit Union Administration\n(NCUA) engaged Grant Thornton LLP to independently evaluate its information systems\nand security program and controls for compliance with the Federal Information Security\nManagement Act (FISMA), Title III of the E-Government Act of 2002.\n\nGrant Thornton evaluated NCUA\xe2\x80\x99s security program through interviews, documentation\nreviews, technical configuration reviews, social engineering testing, and sample testing.\nWe evaluated NCUA against standards and requirements for federal government\nagencies such as those provided through FISMA, National Institute of Standards and\nTechnology (NIST) Special Publications (SPs), and Office of Management and Budget\n(OMB) memorandums. We conducted an exit conference with NCUA on July 23, 2008,\nto discuss evaluation results.\n\nThe NCUA has worked to further strengthen its information technology (IT) security\nprogram during Fiscal Year (FY) 2008. NCUA\xe2\x80\x99s accomplishments during this period\ninclude:\n\n      Implementing OMB guidance in managing Privacy and breach notifications.\n      Ninety-seven percent of NCUA employees completed annual security awareness\n      training.\n\nWe identified six areas remaining from last year\xe2\x80\x99s FISMA evaluation that still need\nimprovement:\n\n      NCUA has not adequately established segregation of duty controls for its\n      applications.\n      NCUA has not completed E-Authentication risk assessments for its systems.\n      NCUA has not completed security controls testing for one of its FISMA systems.\n      NCUA does not have a formal agency-wide security configuration guide.\n      NCUA has not updated its employee enter/exit/change procedures.\n      NCUA has not implemented continuing education requirements for its IT\n      employees.\n\nIn addition, we identified four new findings this year where NCUA could improve IT\nsecurity controls:\n\n      NCUA\xe2\x80\x99s System Software Change Procedures needs improvement.\n      NCUA vulnerability management needs improvement.\n      NCUA lacks a comprehensive contingency planning program for its FISMA\n      systems.\n      NCUA\xe2\x80\x99s Plans of Action and Milestones (POA&M) process needs improvement.\n\nWe appreciate the courtesies and cooperation provided to our auditors during this audit.\n\n\n\n                              LIMITED OFFICIAL USE ONLY\n                                          1\n\x0c             INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                           INFORMATION SECURITY PROGRAM - 2008\n                                     Report #OIG-08-08\n\n                                   II. BACKGROUND\n\nThis section provides background information on FISMA and NCUA.\n\nFEDERAL INFORMATION SECURITY MANAGEMENT ACT\n\nThe President signed into law the E-Government Act (Public Law 107-347), which\nincludes Title III, Information Security, on December 17, 2002. FISMA permanently\nreauthorized the framework laid out in the Government Information Security Reform Act\nof 2000 (GISRA), which expired in November 2002. FISMA continues annual review\nand reporting requirements introduced in GISRA. In addition, it includes new provisions\naimed at further strengthening the security of the federal government\xe2\x80\x99s information and\ninformation systems, such as development of minimum standards for agency systems.\nIn general, FISMA:\n\n          Lays out a framework for annual information technology security reviews,\n          reporting, and remediation plans.\n\n          Codifies existing OMB security policies, including those specified in Circular\n          A-130, Management of Federal Information Resources, and Appendix III.\n\n          Reiterates security responsibilities outlined in the Computer Security Act of\n          1987, Paperwork Reduction Act of 1995, and Clinger-Cohen Act of 1996.\n\n          Tasks NIST with defining required security standards and controls for federal\n          information systems.\n\nOMB issued the 2008 Reporting Instructions for the Federal Information Security\nManagement Act on July 16, 2008. This document provides clarification to agencies for\nimplementing, meeting, and reporting FISMA requirements to OMB and Congress.\n\nNATIONAL CREDIT UNION ADMINISTRATION (NCUA)\n\nNCUA is the independent federal agency that charters, supervises, and insures the\nnation\xe2\x80\x99s federal credit unions, and it insures many state-chartered credit unions as well.\nNCUA is funded by the credit unions it supervises and insures. NCUA's mission is to\nfoster the safety and soundness of federally-insured credit unions and to better enable\nthe credit union community to extend credit for productive and provident purposes to all\nAmericans, particularly those of modest means.\n\nNCUA strives to ensure that credit unions are empowered to make necessary business\ndecisions to serve the diverse needs of its members and potential members. It does\nthis by establishing a regulatory environment that encourages innovation, flexibility, and\na continued focus on attracting new members and improving service to existing\nmembers.\n\n\n                            LIMITED OFFICIAL USE ONLY\n                                          2\n\x0c             INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                           INFORMATION SECURITY PROGRAM - 2008\n                                     Report #OIG-08-08\n\n\n\nNCUA has a full-time three-member Board of Directors (Board) appointed by the\nPresident of the United States and confirmed by the Senate. The Board consists of a\nchairman, vice chairman, and member. No more than two board members can be from\nthe same political party, and each member serves a staggered six-year term. NCUA\xe2\x80\x99s\nBoard regularly meets in open session each month with the exception of August, in\nAlexandria, Virginia. In addition to its central office in Alexandria, NCUA has five\nregional offices and the Asset Management and Assistance Center (AMAC).\n\n\n                                     III. OBJECTIVE\n\nThe engagement objective was to assist the OIG in performing an independent\nevaluation of NCUA information IT security policies and procedures for compliance with\nFISMA and federal regulations and standards. We evaluated NCUA\xe2\x80\x99s efforts related to:\n\n          Efficiently and effectively managing its IT security program\n          Meeting responsibilities under FISMA\n          Remediating prior audit weaknesses relating to FISMA and other security\n          weaknesses identified\n          Implementing its plans of action and milestones (POA&M)\n\nAdditionally, the audit was required to provide sufficient supporting evidence of NCUA\xe2\x80\x99s\nIT security program evaluation to enable the OIG to report to OMB.\n\n\n                          IV. METHODOLOGY AND SCOPE\n\nWe compared NCUA\xe2\x80\x99s information technology (IT) security program and practices with\nFISMA and federal criteria contained in the Government Accountability Office\xe2\x80\x99s Federal\nInformation System Controls Audit Manual (FISCAM), as well as other relevant\nguidance from NIST and OMB.\n\nWe reviewed IT security control techniques for all of NCUA\xe2\x80\x99s major information systems\non a rotational basis. During this evaluation, we assessed NCUA controls over security\nplanning and program management, segregation of duties, security awareness training,\nand performed a limited scope vulnerability assessment. In addition, we evaluated\nadditional areas required to report under OMB M-08-21 such as reviews of Privacy and\nbreach notification, Certification and Accreditation (C&A) documentation including\nsystem security plans, risk assessments, contingency plans, and certification reports.\nFurthermore, we reviewed existing IT security controls and identified weaknesses\nimpacting certain components affecting the General Support System (GSS), application\nsecurity (to include change controls and configuration management) and service\ncontinuity.\n\n                            LIMITED OFFICIAL USE ONLY\n                                          3\n\x0c             INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                           INFORMATION SECURITY PROGRAM - 2008\n                                     Report #OIG-08-08\n\n\n\nWe performed our engagement in accordance with generally accepted government\nauditing standards (GAGAS), audit standards promulgated by the American Institute of\nCertified Public Accountants (AICPA), and information systems standards issued by the\nInformation Systems Audit & Control Association (ISACA).\n\n\n\n\n                            LIMITED OFFICIAL USE ONLY\n                                          4\n\x0c                  INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                                INFORMATION SECURITY PROGRAM - 2008\n                                          Report #OIG-08-08\n\n                                          V. RESULTS IN DETAIL\n\nSecurity program planning and management controls are designed to provide the\nframework and continuing cycle of activity for managing risk, developing security\npolicies, assigning responsibilities, and monitoring the adequacy of an entity's\ncomputer-related controls. NCUA has made progress addressing last year\xe2\x80\x99s reported\ndeficiencies; however, some deficiencies remain. In addition, we identified other areas\nfor improvement that require management's attention as discussed below.\n\n\n1.       NCUA has not adequately established segregation of duty controls for its\n         applications.\n\nNCUA does not have adequate change controls or controls for segregation of duties1 in\nplace for its applications. Specifically we found that:\n\n         Programmers for FISMA applications (the NCUA Accounting System, the Call\n         Report System, and the Insurance Information System) are improperly\n         authorized access to both development and production application environments.\n\n         A single SAP administrator has sole responsibility for managing system\n         operations in the production SAP R/3 application.\n\n         One senior programmer has access to all of the NCUA production environments\n         without documented justification or compensating controls.\n\n         NCUA has not documented and implemented policy and procedures enforcing\n         periodic supervisory review and monitoring of programmer activities.\n\n         AMAC\xe2\x80\x99s security plan addresses procedures for implementing major or\n         substantial changes to software. However, NCUA does not have documented\n         change control procedures for commercial-off-the-shelf (COTS)2 software in\n         general. In addition, NCUA could not provide evidence to support that\n         management approved the implementation of changes to the AMAC AFTECH\n         COTS application after they were tested.\n\nThis is a repeat finding from the FY 2007 FISMA evaluation.\n\nThe OCIO has indicated that although NCUA recognizes the value of formal\nsegregation of duties on application change management, resource constraints prohibit\na comprehensive implementation throughout the organization. However, by not\n1\n  Segregation of duties is the practice of dividing the steps in a critical function among different individuals. For\nexample, one system programmer can create a critical piece of operating system code, while another authorizes its\nimplementation. Such a control keeps a single individual from subverting a critical process.\n2\n  COTS is software or hardware that is ready-made and available for sale, lease, or license to the general public. It is\noften used as an alternative to in-house developments.\n\n\n                                     LIMITED OFFICIAL USE ONLY\n                                                   5\n\x0c              INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                            INFORMATION SECURITY PROGRAM - 2008\n                                      Report #OIG-08-08\n\nrestricting programmer access to production environments, NCUA increases the risk\nthat intentional or unintentional error, alteration, or deletion of data within the FISMA\nsystems may occur. This could negatively impact NCUA by affecting the quality and\naccuracy of the data it provides to its customers and its examiners.\n\nNIST Special Publication 800-53 indicates that information systems should enforce\nsegregation of duties through assigned access authorizations. The organization should\nestablish appropriate divisions of responsibility and separate duties as needed to\neliminate conflicts of interest in the responsibilities and duties of individuals.\n\nIn addition, FISCAM CC-2 indicates a disciplined process for testing and approving new\nand modified programs prior to their implementation is essential to make sure programs\noperate as intended and that no unauthorized changes are introduced.\n\nRecommendation 1: We recommend that OCIO:\n\n   1) Examine existing roles and responsibilities of all OCIO programmers/computer\n      specialists/SAP administrators and define residual risks associated with\n      segregation of duties conditions created by organizational constraints.\n\n   2) Establish and implement compensating controls if segregation of duties conflicts\n      cannot be easily resolved.\n\n   3) Document COTS change control procedures in the NCUA Software Development\n      Handbook.\n\nAgency Response: Agree. We would like to clarify two items:\n\n       The SAP administrator is not responsible for any application development and\n       therefore, segregation of duties does not seem to apply here.\n       Each security plan covers COTS change control procedures. We will update the\n       AMAC security plan to make sure there is adequate documentation authorizing\n       updates to the AFTECH system.\n\n   OCIO will:\n\n       1) Do a complete review of the existing roles and responsibilities of all\n          programmers, computer specialists and SAP administrators and define the\n          segregation of duties risks within our organization.\n       2) Implement compensating controls for any remaining segregation of duties\n          conflicts.\n       3) Document change control procedures in the NCUA Software Development\n          Handbook.\n\n\n\n\n                             LIMITED OFFICIAL USE ONLY\n                                           6\n\x0c                    INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                                  INFORMATION SECURITY PROGRAM - 2008\n                                            Report #OIG-08-08\n\nOIG Response: The OIG concurs with the planned corrective actions. The OIG notes\nthat controls for segregation of duties are not limited to application development\nresponsibilities. Any position that performs a task within a manual or automated system\nis subject to segregation of duties. Therefore, segregation of duties would apply to the\nSAP administrator. However, the OIG also notes management indicated it would\ninclude a review of SAP administrators in its review of segregation of duties roles and\nresponsibilities.\n\n\n2.         NCUA needs to improve its System Software Change Procedures.\n\nNCUA has documented change requests and executions for various system software\ncomponents. However, change control records are neither comprehensive nor\nsufficiently detailed. In addition, the NCUA Information Security Officer (ISO) maintains\nthe records for change requests in an email archive. However, the ISO does not\nmaintain corresponding records of approval and change execution. Furthermore, some\nof the NCUA change requests do not adequately document the change. Specifically,\nwe sampled 22 changes and determined:\n\n           Four changes are missing two or more information elements (as identified below)\n           required for change notifications.\n\n           Seventeen changes do not indicate the type of message: Informational,\n           Authorization, Emergency, or Committee.\n\n           Two changes indicate that changes requiring two approvals will proceed with\n           only one approval unless the requester hears otherwise.\n\nNCUA has not documented and implemented clear and comprehensive change\nmanagement policies and procedures to ensure that all changes are properly\ndocumented and approved. By not having comprehensive documented and\nimplemented change controls for system software, NCUA increases the risk of\nunauthorized changes being made to NCUA systems. In addition, NCUA\xe2\x80\x99s ability to\naccurately track historical changes is substantially hindered, reducing the ability to\nidentify and reverse any changes later determined to have an adverse impact.\n\nThe NCUA Computing Infrastructure System Security Plan requires that all changes to\nthe network be documented by sending an email3 to the Configuration Control\ndistribution list. Currently, the only exceptions to this rule are changes resulting from an\nemployee add/change/exit action. The email change notification/request must contain\nsix information elements:\n\n                1. Type of message.\n                2. What is this change?\n3\n    The Configuration Control Mailbox will keep a history of all changes.\n\n\n                                       LIMITED OFFICIAL USE ONLY\n                                                     7\n\x0c               INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                             INFORMATION SECURITY PROGRAM - 2008\n                                       Report #OIG-08-08\n\n          3.   Why is it needed?\n          4.   When is it planned to be implemented?\n          5.   Who is affected?\n          6.   What is your recovery plan in case of trouble?\n\nIn addition, given that all GSS components have a minimum security categorization of\nModerate, they are subject to the following requirements per NIST 800-53:\n\n      The organization develops, disseminates, and periodically reviews/updates: (i) a\n      formal, documented, configuration management policy that addresses purpose,\n      scope, roles, responsibilities, management commitment, coordination among\n      organizational entities, and compliance.\n\n      Configuration change control involves the systematic proposal, justification,\n      implementation, test/evaluation, review, and disposition of changes to the\n      information system, including upgrades and modifications.\n\n      The organization employs automated mechanisms to: (i) document proposed\n      changes to the information system; (ii) notify appropriate approval authorities; (iii)\n      highlight approvals that have not been received in a timely manner; (iv) inhibit\n      change until necessary approvals are received; and (v) document completed\n      changes to the information system.\n\nRecommendation 2: We recommend that OCIO:\n\n      1) Update its system software change control policies and procedures.\n\n      2) Ensure that all information required for a change request/notification is\n         properly documented.\n\nAgency Response: Agree. OCIO will revisit the system software change control\nprocedures and strengthen them with emphasis on improving the implementation and\ntracking documentation. This will be implemented by June 1, 2009.\n\nOIG Response: The OIG concurs with the planned corrective actions.\n\n\n3.    NCUA needs to improve its vulnerability management procedures.\n\nThis finding pertains to a FY 2007 finding that noted a number of ports/communication\nservices were available on NCUA SAP and ARIES servers. Follow-up from the\nFY 2007 assessment indicates NCUA management has not implemented a procedure\nto periodically reassess the number of open ports and services on NCUA servers.\n\n\n\n\n                              LIMITED OFFICIAL USE ONLY\n                                            8\n\x0c                 INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                               INFORMATION SECURITY PROGRAM - 2008\n                                         Report #OIG-08-08\n\nNCUA asserts that, given its current level of resources, it does not have time to\nperiodically reassess the number of open ports and services on NCUA servers.\nHowever, by not restricting the number of ports and communication services, NCUA\nincreases the risk of an unauthorized person gaining access to the systems. NCUA\nshould correlate its systems\xe2\x80\x99 ports and services to a business need and the services\nrequired that meet that business need.\n\nNIST SP 800-53 guides that organizations conduct an assessment of the security\ncontrols in the information system to determine the extent to which the controls are\nimplemented correctly, operating as intended, and producing the desired outcome with\nrespect to meeting the security requirements for the system.\n\nRecommendation 3: We recommend that OCIO implement a procedure to periodically\nreassess and determine the business need for the open ports and services on NCUA\nservers.\n\nAgency Response: Agree. OCIO will implement this recommendation. June 1, 2009\nis our projected completion date.\n\nOIG Response: The OIG concurs with the planned corrective action.\n\n\n4.       NCUA has not completed E-Authentication risk assessments4 for its\n         systems.\n\nWhile NCUA has completed formal risk assessments for its six NCUA systems, NCUA\ndid not specifically address E-Authentication risk considerations. This is a repeat\nfinding from the FY 2006 and FY 2007 FISMA evaluations. By not completing an\nE-Authentication risk assessment, the NCUA is not compliant with OMB policy and may\nnot fully capture risks associated with their e-Government activities.\n\nOMB Memorandum M04-04 requires agencies to review new and existing electronic\ntransactions to ensure that authentication processes provide the appropriate level of\nassurance. Additionally, the guidance applies to the remote authentication of human\nusers of Federal agency IT systems for the purposes of conducting government\nbusiness electronically (or e-government).\n\nRecommendation 4: We recommend OCIO complete the E-Authentication risk\nassessment process in accordance with OMB Memorandum 04-04, E-Authentication\nGuidance for Federal Agencies.\n\n\n4\n An E-Authentication risk assessment identifies key user roles and transactions within the application; Organizes\nconsequences of false positive authentication and impacts to the agency; and aids in mapping the application to a set\nof pre-defined authentication criteria by aligning each transaction to a consequence level.\n\n\n\n\n                                    LIMITED OFFICIAL USE ONLY\n                                                  9\n\x0c             INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                           INFORMATION SECURITY PROGRAM - 2008\n                                     Report #OIG-08-08\n\nAgency Response: Agree. OCIO will complete the E-Authentication risk assessment\nby June 1, 2009.\n\nOIG Response: The OIG concurs with the planned corrective action.\n\n\n5.    NCUA has not completed security controls testing for one of its FISMA\n      systems.\n\nNCUA completed testing for five of its six FISMA systems. However, while the NCUA\nPOA&M for FY 2007 indicated security controls testing was considered fully complete,\nNCUA did not perform security controls testing for the NCUA Accounting System in\nFY 2007. This is a repeat finding from the FY 2007 FISMA evaluation.\n\nBy not performing security controls testing for its systems, NCUA may not know whether\nsecurity controls in place are operating effectively. This may prevent NCUA from\nappropriately mitigating risks to an acceptable level, which could adversely impact the\nsecurity, integrity or availability of its systems.\n\nFISMA requires CIOs to evaluate a representative subset of systems, including\ninformation systems used or operated by an agency or by a contractor of an agency or\nother organization on behalf of an agency. OMB requires agencies to test security\ncontrols at least annually.\n\nRecommendation 5: We recommend that OCIO complete security controls testing for\nits FISMA systems using guidance specified by NIST SP 800-53, Recommended\nSecurity Controls for Federal Information Systems.\n\nAgency Response: Agree. OCIO will complete security controls testing by September\n30, 2008.\n\nOIG Response: The OIG concurs with the planned corrective action.\n\n\n6.    NCUA does not have a formal agency-wide security configuration guide.\n\nNCUA leverages some configuration standards for workstations and servers. However,\nNCUA has not developed a formal agency-wide security configuration guide that\nimplements a baseline configuration following the NIST enterprise baseline\nconfiguration. This is a repeat finding from the FY 2006 and FY 2007 FISMA\nevaluations.\n\nTo date, NCUA has not prioritized the incorporation of NIST standards to develop and\nimplement configuration standards as part of the system development lifecycle and\nsecurity environment. By not establishing and implementing a formal security\nconfiguration guide, the NCUA increases the risk of not consistently applying security\n\n                            LIMITED OFFICIAL USE ONLY\n                                         10\n\x0c              INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                            INFORMATION SECURITY PROGRAM - 2008\n                                      Report #OIG-08-08\n\nstandards across agency IT resources. This could expose NCUA systems and\nsensitive data to threats in a risk-inherent IT environment that is continuously changing.\n\nOMB Memorandum 08-21 indicates FISMA requires each agency to develop minimally\nacceptable system configuration requirements and ensure compliance with them.\nCommon security configurations provide a baseline level of security, reduce risk from\nsecurity threats and vulnerabilities, and save time and resources. This allows agencies\nto improve system performance, decrease operating costs, and ensure public\nconfidence in the confidentiality, integrity, and availability of Government information.\n\nRecommendation 6: We recommend that OCIO develop and implement a formal\nagency-wide security configuration guide that provides a baseline configuration\nfollowing NIST standards.\n\nAgency Response: Agree. OCIO will strengthen current configuration policy and\nensure adequate documentation of these standards. This will be completed by\nJune 1, 2009.\n\nOIG Response: The OIG concurs with the planned corrective action.\n\n\n7.     NCUA has not updated its employee enter/exit/change procedures.\n\nOCIO has formal employee enter/exit/change procedures, which include notification to\nOCFO, OHR and OCIO staff. However, the procedures are outdated and do not\neffectively define responsibilities. In addition, the distribution lists for notification of\nterminated employees includes individuals who are no longer responsible for removing\nusers\xe2\x80\x99 access. Furthermore, OCIO has not documented and disseminated a process\nfor removing terminated employees\xe2\x80\x99 access from NCUA systems. This is a repeat\nfinding from the FY 2007 FISMA evaluation.\n\nBy not having current and effective employee enter/exit/change procedures, NCUA staff\nwho have a role in terminating employees may not receive timely notification and do not\nfully understand their roles and responsibilities. In addition, by not removing the access\nof terminated employees, these former employees may retain unauthorized access to\nsensitive NCUA data and systems. For example, in FY 2006, the OIG investigated and\nprosecuted a case involving unauthorized access by a former employee whose access\nhad not been removed timely. While OCIO was responsible for the existing\nenter/exit/change procedures, we believe OHR is the appropriate office for controlling\nthese procedures since they are overall responsible for all employees entering to,\nexiting from and changing positions within NCUA.\n\nThe NCUA Computing Infrastructure System Security Plan requires that the procedures\nfound in its appendix for adding, changing and deleting an NCUA employee from the\nnetwork be used. This procedure guides that when an employee enters, exits or needs\n\n\n                             LIMITED OFFICIAL USE ONLY\n                                          11\n\x0c             INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                           INFORMATION SECURITY PROGRAM - 2008\n                                     Report #OIG-08-08\n\nchanges to their employee information, the responsible office will email information\n(where applicable) to the appropriate distribution lists.\n\nNIST SP 800-12, indicates when user accounts are no longer required, the supervisor\nshould inform the application manager and system management office so accounts can\nbe removed in a timely manner.\n\nRecommendation 7: We recommend that:\n\n      OHR work with OCIO, OCFO and Regional offices to develop NCUA employee\n      enter/exit/change procedures that will provide a means for NCUA management\n      to enforce timely notification and accountability for all staff involved in the\n      termination process.\n\n      OCIO develop and distribute procedures for removing the system access of\n      terminated employees.\n\nAgency Response: Agree.\n\n      OHR will work with representatives from OCIO, OCFO and the regions to\n      develop and implement employee enter/exit/change procedures in order to\n      enforce timely notification and accountability of all staff changes.\n      OCIO will develop and distribute procedures for removing the system access of\n      terminated employees.\n\nOIG Response: The OIG concurs with the planned corrective actions.\n\n\n8.    NCUA lacks a comprehensive contingency planning program for its FISMA\n      systems.\n\nNCUA\xe2\x80\x99s contingency planning program does not address key elements recommended\nfor a comprehensive contingency plan. In addition, NCUA Disaster Recovery/System\nContingency plans are not:\n\n       Updated periodically.\n\n       Tested on a routine basis (and at least annually).\n\n       Integrated to incorporate all business applications and computing infrastructure.\n\n       Consistently developed for all applications and business processes.\n\nNCUA does not have policies and procedures for system owners for developing,\nmaintaining and testing contingency plans. By not developing, routinely testing and\n\n\n                            LIMITED OFFICIAL USE ONLY\n                                         12\n\x0c              INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                            INFORMATION SECURITY PROGRAM - 2008\n                                      Report #OIG-08-08\n\nupdating its IT system disaster recovery and contingency plans or including all key\nelements within a documented contingency plan, NCUA cannot ensure its ability to\ncontinue operations for information systems that support its operations and assets.\n\nNIST 800-53, guides that information system disaster recovery and contingency plans\nmust be updated frequently, at least annually, and that contingency plan testing is\ncoordinated with other business applications and regional requirements.\n\nRecommendation 8: We recommend that OCIO establish policies and procedures for\ndeveloping, maintaining and testing disaster recovery and contingency plans, and test\nand update the plans at least annually.\n\nAgency Response: Agree. OCIO will more adequately document our disaster\nrecovery and contingency plans and more adequately document the testing of these\nplans. Projected completion date is June 1, 2009.\n\nOIG Response: The OIG concurs with the planned corrective actions.\n\n\n9.     NCUA has not implemented continuing education requirements for its\n       Information Technology employees.\n\nOCIO has not implemented continuing education requirements for its IT employees.\nWhile NCUA requires all employees to participate in annual security awareness training\nand encourages employees to request training needs, OCIO does not define the\nnumber of annual training hours IT employees should receive. In addition, we\ndetermined OHR does not have a centralized system for managing and tracking\nemployee training records; therefore, training documentation is not readily available.\nThis is a repeat finding from the FY 2007 FISMA evaluation.\n\nBy not defining a training requirement program and requiring IT employees to take\nsecurity related training, NCUA cannot ensure its IT employees have the most current\ntechnical knowledge to effectively protect the confidentiality, integrity, and availability of\nits systems and sensitive data.\n\nThe NCUA Agency Wide Information Security Policy indicates that training oversight\nincludes general awareness training and specific training for people with significant\nsecurity responsibilities. The policy requires the CIO to ensure adequate training is\nplanned for NCUA.\n\nNIST SP 800-53 guides that organizations provide system managers, system and\nnetwork administrators, and other personnel having access to system-level software\nwith adequate technical training to perform their assigned duties. It also guides that the\norganization document and monitor individual information system security training\nactivities including basic security awareness training and specific information system\nsecurity training.\n\n                             LIMITED OFFICIAL USE ONLY\n                                          13\n\x0c                  INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                                INFORMATION SECURITY PROGRAM - 2008\n                                          Report #OIG-08-08\n\n\n\n\nRecommendation 9: We recommend that:\n\n      1) OCIO establish continuing education requirements for IT employees.\n\n      2) OHR implement a mechanism to effectively track and report training taken.\n\nAgency Response: Agree.\n\n         Each OCIO division director will establish continuing education requirements for\n         their employees and document this training using the Individual Development\n         Plan (IDP)5 system.\n         OHR has issued a request-for-proposals to contract for a web-based learning\n         management system (LMS). The LMS will enable the Office to monitor and track\n         training records for every employee. OHR projects the LMS will be operational\n         by April 2009.\n\nOIG Response: The OIG concurs with the planned corrective actions.\n\n\n10.      NCUA needs to improve its Plans of Action and Milestones (POA&M)\n         process.\n\nWhile NCUA has taken some steps to correct prior year findings, six previously\nidentified deficiencies still remain. To correct these remaining actions, NCUA needs to:\n\n         Complete its E-Authentication risk assessments.\n         Define continuing education requirements and establish a mechanism to\n         effectively track and report employees\xe2\x80\x99 training taken\n         Update employee enter/exit/change procedures.\n         Implement a procedure to periodically reassess the number of open ports and\n         services on NCUA servers.\n         Develop an agency-wide security configuration guide.\n         Complete security controls testing for NAS.\n\nNCUA does not sufficiently review and validate whether program officials fully remediate\nweaknesses identified in the POA&M prior to marking the item as \xe2\x80\x9ccompleted.\xe2\x80\x9d\nTherefore, NCUA does not properly address and resolve weaknesses identified in the\nPOA&M, which reduces NCUA\xe2\x80\x99s level of compliance with OMB requirements. This\ncould ultimately reduce NCUA\xe2\x80\x99s ability to provide confidentiality, integrity, and\navailability of data within FISMA systems.\n\n5\n  An IDP ensures that employees maintain the current level of job proficiency through continued training and\ndevelopmental activities. In addition, employees identify new knowledge, skills and abilities to pursue, as well as\nlearning activities needed to reach the established goals.\n\n\n                                     LIMITED OFFICIAL USE ONLY\n                                                  14\n\x0c             INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                           INFORMATION SECURITY PROGRAM - 2008\n                                     Report #OIG-08-08\n\n\n\nOMB and FISMA require agency officials to be involved in agency efforts to review and\nperiodically update remediation efforts to correct outstanding weaknesses. In most\ncases, agencies use a POA&M process to track these efforts. The POA&M process is\nintended to be a tool for program officials to note changes and updates, usually on a\nquarterly basis.\n\nRecommendation 10: We recommend that NCUA update its procedures to ensure\nPOA&M items are complete.\n\nAgency Response: Agree. OCIO will update our procedures to require the Deputy\nCIO to sign off on completed items. Implementation is immediate.\n\nOIG Response: The OIG concurs with the planned corrective action.\n\n\n\n\n                            LIMITED OFFICIAL USE ONLY\n                                         15\n\x0c"